Zara data breach exposes 197,400 customers via ShinyHunters ransomware attack on Anodot–Snowflake supply chain. Emails, order IDs & support tickets leaked.

Continue reading
Hackers exposed data tied to roughly 200,000 Zara customers in an alleged ransomware attack. The retailer previously appeared on a leak site connected to the ShinyHunters Salesforce extortion campaign. The breach has since been precisely quantified — a new entry by the data-breach tracking platform HaveIBeenPwned (HIBP) confirmed that exactly 197,400 customers were exposed in the leak.
April 6, 2026 — Initial Intrusion via Third-Party Vector
In the April 6th Anodot attack, the ransomware gang was said to have used stolen authentication tokens from the _"SaaS integration provider"_ to access the sensitive data. When ransomware actors ShinyHunters broke into Anodot, they were able to access those integrations and steal files belonging to multiple companies. The attack specifically targeted Anodot's integration layer with Snowflake-hosted customer environments.
April 15–16, 2026 — Zara Listed on Dark Leak Site; Inditex Discloses Breach
ShinyHunters claimed to have breached Zara's networks through a previous compromise of the Israeli AI analytics firm Anodot as part of an attack wave earlier this month, posting Zara on its dark leak site and claiming to have hacked the company's _"BigQuery databases,"_ as part of a _"pay or leak"_ campaign — giving the company a deadline of April 21.
Inditex, Zara's parent company and the world's largest fashion retailer, announced on April 16th it had been hit following a third-party breach involving one of its technology providers.
Post-April 21 Deadline — Ransom Refused; Data Dumped
After ignoring ShinyHunters' ransomware threats, the gang, as promised, dumped a large cache of data allegedly exfiltrated from Zara's networks.
ShinyHunters is a sophisticated, financially motivated ransomware and data extortion group operating a "pay or leak" dark web model. In the current campaign, the group's operational scope extended well beyond Zara. Other Salesforce victims listed on the ransomware leak site include Canada Life Assurance Company (5.6M records), Pitney Bowes (25M records), Marcus & Millichap (30M records), and Aman Resorts (500K records).
Notably, on June 25, 2025, French authorities announced the arrest of four alleged members of ShinyHunters across multiple regions of France.
The breach illustrates a textbook third-party supply chain attack — a threat model where adversaries bypass a target's hardened perimeter by compromising an upstream software or analytics provider.
ShinyHunters claims Zara data was exposed through the Anodot compromise. The Anodot-linked attack wave hit Snowflake customer environments.
By obtaining authentication tokens belonging to Anodot — rather than Inditex directly — the attackers effectively inherited whatever database access permissions Anodot held on behalf of its clients. This token-based lateral movement is a particularly dangerous technique because it bypasses credential-based perimeter controls entirely.
The group published a terabyte of data, allegedly including 95 million support ticket records. The data contained 197,400 unique email addresses alongside product SKUs, order IDs, and the market the support ticket originated in, according to HIBP.
Inditex's own statement confirmed: the information of customers from different markets included customer email addresses, purchase history, order IDs, plus product and support ticket information.
What Was NOT Exposed: The fashion powerhouse said names, surnames, telephone numbers, addresses, passwords, bank cards, or other payment methods were not exposed.
While Inditex's containment statement is reassuring on its face, the exposed dataset carries meaningful secondary risks. The breach could give hackers a sharper phishing playbook by tying customer identities to real orders and complaints. A threat actor combining leaked email addresses with real order IDs and support ticket context can construct highly convincing spear-phishing emails that impersonate Zara customer service — a tactic far more persuasive than generic credential-harvesting lures.
When PII is involved, there's always a chance of social engineering attacks. The impact depends on whether the data in question belongs to the company employees or customers, the Cybernews research team notes.
Zara is the flagship fashion brand of Inditex, one of the world's largest apparel groups. Inditex reported revenue of about €38.6 billion in fiscal 2025 and employs roughly 160,000 people worldwide. Zara operates in more than 90 countries through thousands of stores and online platforms.
Given the multinational scope of affected customers, Inditex faces potential regulatory scrutiny across multiple jurisdictions governed by the GDPR. Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, noting that the incident stems from a security incident that affected a former technology provider and has impacted several companies operating internationally.
This incident does not stand in isolation. MANGO, another Spanish fashion retailer giant, also sent notices of a data breach to its customers in October, warning them that personal data used in marketing campaigns had been compromised after its marketing vendor was hacked. No ransomware or extortion groups have claimed the MANGO incident, so the attackers remain unknown.

Millions of driver's license records were exposed in a massive data breach, raising identity theft risks and highlighting critical data security failures.